Re: is it possible to configure Cisco ASA side with Policy Based Site to site VPN and AWS side Route...

subrun.jamil · ‎06-10-2020

Hello,

Can you advise , is it possible to configure Cisco ASA side with Policy Based Site to Site VPN and AWS side Route Based VPN ?

So far I know AWS does support only ROUTE based VPN.

pzkqx6000 · ‎06-11-2020

It is. As far as I know, you won't be able to have an active/active scenario with 2 redundant DC sites they provide. You will have an active/passive scenario with an IP SLA in your side and DPD for failovering purposes (and two crypto map peering to AWS DC peers).

subrun.jamil · ‎06-11-2020

Thank You for quick reply. And that does work without below global commands ? My fear is if I add below Global Commands it will impact my other existing VPN on same VPN Box and I want to avoid that.

crypto ipsec df-bit clear-df 'outside_interface'
sysopt connection tcpmss 1379

crypto ipsec security-association replay window-size 128

crypto ipsec fragmentation before-encryption 'outside_interface'

subrun.jamil · ‎06-11-2020

And that worked on 9.9 version or around this version ?

pzkqx6000 · ‎06-14-2020

You do not need those commands for the AWS VPN to work. If you have active L2L VPNs up and running, it is ok if you do not apply them. Anyways, I think the DF bit set can be configured under cryptomap configuration, instead of globally.

is it possible to configure Cisco ASA side with Policy Based Site to site VPN and AWS side Route Based VPN ?